[c-nsp] Shapping in/out on Ethernet subinterfaces (7206 NPE-G1) and CPU usage

[Lukas Tribus]

Hi,



>> Don't know. Read "Troubleshooting High CPU Utilization on Cisco Routers" [1]. 
> Ok thank you, I will study this link.

More specifically, post the output of "show proc cpu sort".

If the cpu is mostly spent in interrupts (CPU utilization for five seconds: a%/b%;
where b% is nearly as high as a%), then the load simply depends on your traffic
patterns (also see [1]).

If this is the case, you should check the traffic patterns.



>> Extremely wild guess: you may see increased bursty traffic due to NTP 
>> amplification attacks. Read the NTP DDoS thread [2]. Check whether host 
>> behind this router are vulnerable. This can really hit a software 
>> router hard. 
> 
> I will check that but I think this router is not concerned. 

Not the router, but the hosts behind it. The router will have high cpu load
in interrupts because of the increased pps rate. Check with netflow if you
see a lot of udp/123 traffic.

Does the customer report packet loss, btw?



>> Would be a NPE-G2 sufficient on short term before moving to a real router 
>> as a ASR 1k? 
> 
> What traffic patterns do you have? What are you doing on the box besides 
> routing and NAT? IPsec? Nbar? Netflow? 
> 
> About the traffic, we have 60 mbps for the out interface and 2 x 30 
> mbps for 2 in interfaces (customers side). 
> 
> On this router, we are doing: 
> - VRF and NAT to internet for customers which have private subnet 
> behind a CPE (around 90 subinterfaces) 
> - simple routing for customers which have publics subnets behind a CPE 
> (around 20 subinterfaces) 
> - GRE tunnels (around 10) 
> - Nbar for QoS with shaping and policing. 

Are you doing any fragmentation when routing through to the GRE tunnels?
Make sure you don't do this.


Regards,

Lukas



[1] http://www.cisco.com/c/en/us/support/docs/routers/7500-series-routers/41120-highcpu-interrupts.html